Efficient Proxy Re-encryption Scheme for E-Voting System

Abstract

With the development of information and communication technologies, especially wireless networks and cell phones, the e-voting system becomes popular as its cost-effectiveness, swiftness, scalability, and ecological sustainability. However, the current e-voting schemes are faced with the problem of privacy leakage and further cause worse vote-buying and voter-coercion problems. Moreover, in large-scale voting, some previous e-voting system encryption scheme with pairing operation also brings huge overhead pressure to the voting system. Thus, it is a vital problem to design a protocol that can protect voter privacy and simultaneously has high efficiency to guarantee the effective implementation of e-voting. To address these problems, our paper proposes an efficient unidirectional proxy re-encryption scheme that provides the re-encryption of vote content and the verification of users' identity. This function can be exactly applied in the e-voting system to protect the content of vote and preserve the privacy of the voter. Our proposal is proven to be CCA secure and collusion resistant. The detailed analysis also shows that our scheme achieves higher efficiency in computation cost and ciphertext size than the schemes in related fields.

1. Introduction

Electronic voting has been applied in politics, the economy, and even daily entertainment to collect people’s opinions about political and social decisions. With the help of deep learning in data classification and detection technology, the electronic voting system can achieve higher efficiency and accuracy in statistics [1-2]. In order to make electronic elections completely democratic, a security mechanism is needed to ensure the privacy of voters. In addition, the content of the vote includes important information, such as which one candidate the voter casts, the vote is an “affirmative vote”, “dissenting vote” or an “abstention vote”. For these reasons, the protection of user identity and voting content is an essential function in the voting process. Once the voter’s identity or the vote content was exposed during the voting process, then some corrupt candidates will force or seduce the voter to vote for him/her.

Cryptography technology serves as an information protection mechanism that can strengthen the security of voting content. In the context of cryptography, the public key encryption technology can be used to convert the voting content into the non-readable format, so that no one except the voter himself/herself can decrypt the ciphertext to obtain the specific vote content. At present, cryptography technology is widely used to strengthen the security of the network and resist various attacks [3-8]. The voting system is no exception. Some cryptography technology is applied in the voting system to ensure secure, reliable. The authors have discussed the realization of receipt-freeness function by re-encrypting ciphertext [9]. In [10], timed-release cryptography is also used to prevent the early opening of electronically case votes in the e-voting system, thus it avoids election fraud.

However, non-readable format votes under public key encryption are difficult to count directly. In this context, voter can directly transmit his/her private key to the bulletin to decrypt the ballot, and then every candidate’s ballot is counted. Unfortunately, this way is easy to cause the disclosure of the voter’s private key and further threat voter’s identity security. Moreover, in large-scale voting, the voting under public key encryption requires the server of the voting center to exchange information multi times with each voter, which is impractical to apply in the real environment.

We noticed that the structure of proxy re-encryption (PRE) matches voting system well with multiple requirements. Proxy re-encryption can not only ensure that the content of the ballot remains encrypted during transmission, but also can re-encrypt the ballot through the proxy to delegate the specific user to decrypt it. Blaze et al. [11] provided the notion of PRE, in which the proxy is given a conversion key that allows it to transform a message encrypted with the public key of the data sender into another message encrypted with the public key of the data receiver. Due to its better flexibility and convenience, PRE is applicable to many practical scenarios, such as cloud computing [12], personal health records [13], distributed file systems [14] , and secure email forwarding [11].

To illustrate more specifically, let us consider the process of proxy re-encryption operation, as shown in Fig. 1. Suppose the data sender (say, Alice) plans to share the own encrypted data with the data receiver (say, Bob). Alice wants to keep identity anonymous in this transformation process and guarantee that except Bob, nobody can access the sensitive data.

Fig. 1. PRE system model diagram

By utilizing the PRE primitive, Alice can transmit ciphertext and conversion key to proxy, and the proxy has no access to obtain the information or recognize the identity of Alice. Next, the proxy generates the conversion ciphertext. Finally, by using secret key, Bob is able to obtain the plaintext from the conversion ciphertext. In this way, data sender can keep identity anonymous in the re-encrypt process.

In our proxy re-encryption scheme, the voter’s encrypted vote is re-encrypted by the proxy, and finally the candidate (delegated candidate) obtains vote by decrypting the vote ciphertext. In order to increase the openness and fairness of voting, the encrypted voting is decrypted jointly by the administrator and the candidates on the bulletin board. In this way, both the security and the count of votes can be ensured. At the same time, the direct secret information transmission (such as vote’s private key) between voters, candidates, and the voting center server is avoided, thereby the privacy of voters is strengthened.

However, in proxy re-encryption, a semi-trusted proxy may also collude with candidates to obtain the voter’s private key (the voter’s identity information). For this collusion problem, we designed a collusion-resistant proxy re-encryption scheme. This scheme ensures that even if the candidate sends his private key to the proxy, the proxy cannot obtain the voter’s information from the re-encrypted vote or the re-encryption key. Moreover, many previous proxy re-encryption schemes encrypt the data by relying on bilinear pairing, which brings heavy overhead. Our scheme avoids the use of bilinear pairs, thereby reducing the burden of computational and communication costs of the voting system.

The encryption schemes have achieved the function of voter privacy and vote content protection. However, there are still some problems in the voting system. These problems hinder the development of research and the advance of social justice. Electronic voting is expected to replace the cumbersome and no privacy guaranteed paper-based vote, and it has been researched over thirty years. Numerous protocols were proposed, and some of them have been implemented in real-world referenda such as Direct Recording Electronic (DRE) [15] systems and Helios [16,17] systems. Some DRE systems [18] have such an idea to provide variable receipts to the electorate. Yet this solution in ill-designed voting systems will leak voter’s privacy and further not only pose a threat to the safety of voters but also break fairness of the election.

All of these phenomena underlined the importance of additional protection of voter privacy while providing verifiability to voters. Hence advanced security requirements called receiptfreeness and coercion-resistance are proposed. The notion of receipt-freeness was first proposed in 1994 [19]. Though their scheme was later proved unable to provide receiptfreeness by Hirt et al. [20]. Receipt-freeness refers to the incapability of a voter to prove that he voted in a certain approach to any attackers with remained verifiability. Generally there exist two cryptographic tools to achieve receipt-freeness: homomorphic encryption [20-24] and Mix-net [25-32].

Wen et al. [22] proposed the receipt freeness voting scheme named Masked Ballot. Their online voting scheme is achieved under a more practical physical assumption. The online voting scheme adapts Internet voting from any light-weight device that has access to the network. However, under their assumptions only receipt-freeness is possible. In addition, their scheme has a limitation, that is the voter needs to acquire a single-use mask before each election securely. Yu et al. [23] introduced a practical platform-independent secure and verifiable voting system. The advantage of their voting system is that the scheme suits any blockchain that supports the operation of the smart contract. There two main advantages of their scheme. The first point is taking advantage of a decentralized trust provided by the blockchain technology. In this way, the demand of a centralized trusted party to do the ballots tallying is removed. The second point is, their scheme also builds a practical platform independent secure e-voting protocol by key security primitives. However, their scheme cannot avoid requiring the administrator to upload the encryption of zero pool. Moreover, both the increases in the block size and chain length aggravate the time cost of retrieving for a certain block in the blockchain. In [24], the authors introduced a framework for practical and receipt-free remote voting. However, their scheme has two limitations. First, in both the registration phase and the vote casting phase, crypto calculations are needed, but the scheme has not provided concrete operations of ordinary voters. Second, due to the candidate representing value v, adversaries may force/bribe voters to change their votes. The author in [25] introduced some receipt-free voting schemes for large scale elections. One of the provided schemes demands the assistance of the voting commission. Meantime, a physical assumption and an untappable channel are also required. Although the other one does not need the assistance of the commission, a stronger physical assumption and a voting booth are indispensable. In paper [28], the authors proposed a secure hardware device for the voting system, called the tamper-resistant randomizer. They claimed this hardware device can replace the existence of third-party randomizer and untappable channel. In [30], a simple and efficient method to incorporate receipt-freeness in mix-net based electronic voting schemes is given. However, due to a large amount of computation for multiple mixers is required, the above voting schemes based on mix-net are mostly not efficient.

Based on the above characteristics of the voting system, we propose an improved proxy re encryption scheme. Our proxy re-encryption scheme (1) uses dual public keys and dual private keys as the real identity and voting system identity, respectively. This method allows voters to hide their true information and vote anonymously. The disclosure of the identity of voters is prevented from the root. (2) Added the list of administrators. Each voter obtains a private key when registering, and the administrator generates a corresponding list of identity information to verify the identity of the voter during voting. (3) The administrator further randomly encrypts the re-encrypted vote to ensure that the voter cannot provide a receipt, the voter is not able to prove to a coercer what way he/she voted.

1.1 Contribution and Innovations

First, we proposed a voting system PRE scheme and showed how it works in voting system. From the perspective of cryptography, it is one of the most meaningful combinations of cryptographic protocols and practical applications. Protecting the privacy of the recipients’ identities can be realized by the PRE method. Our proposal enjoys the properties simultaneously as below:

● Multiple security attributes: The scheme also has attributes such as unidirectional, key privacy, collusion-resistant.

● Verifiable: We combined the proxy re-encryption scheme and digital signature to realize a verifiable proxy re-encryption scheme.

● Scalable: Few cryptographic primitive is used in our scheme other than schnorr digital signature and PRE in order to uplift the e ciency of calculation and communication and hence enlarge the scale of the election. Our scheme does not have a paring cost. A trivial amount of overhead in communication cost and computation cost make our proposal can be used in various applications.

● Applied in voting system: In general, PRE schemes are previously used in cloud computing and distributed file systems. To the best of our knowledge, few studies in literature combined proxy re-encryption with electronic voting. In our voting protocol, we illustrate how it works to provide receipt-freeness and candidate-adaptiveness to voting systems.

● Security and efficiency: This paper provides concrete security proof chosen-ciphertext security, meanwhile, collusion-resistance is not ignored. The proxy cannot recover the data owner’s private key by colluding with the data receiver. We also conduct and analyze the simulation experiment. The simulation experiment results show that this scheme, in the aspects of communication complexity and computation cost, both has a relatively good performance.

● Experimental comparison: We have run our scheme and the other compared articles on the experimental platform at the same time. Meantime, the experimental results are presented in multiple figures.

The organization of our paper is present below. Assumptions and scheme definitions are discussed in Section 2. The construction of our PRE is presented in Section 3 and a security proof of our proposal is analyzed in Section 4. In addition, this paper delineates how proxy re encryption is used in voting system and we also give an analysis of voting requirements in Section 5. At last, the efficiency comparison and conclusion of our work is shown in Section 6 and Section 7.

2. Preliminaries

2.1 Schnorr Signature

Existentially unforgeable schnorr signature has system parameters \((\mathbb{G}, g, q, H(\cdot))\). In parameters, \(\mathbb{G}\) is a finite cyclic group of prime order q. Let g be a generator of \(\mathbb{G}. H(\cdot)\) is a cryptographic hash function, \(H(\cdot):\{0,1\}^{*} \rightarrow \mathbb{Z}_{q}^{*}\).

● KeyGen \(\left(1^{\lambda}\right) \rightarrow k\). This step generates a signing key \(s k \stackrel{R}{\leftarrow} \mathbb{Z}_{q}^{*}\) and verifying key pk=g^sk.

●Sign (sk,m)→σ. sk and m are inputted, this algorithm generates σ=(s,R), where R=g^r, \(s=r+s k \cdot H(m \| R) \bmod q\), and \(r \stackrel{R}{\in} \mathbb{Z}_{q}^{*}\).

● Verify (pk,m,σ) → m. On inputting pk, m, and σ, the verifying algorithm returns 1, if \(g^{s}=R \cdot p k^{H(m \| R)}\); otherwise, it outputs 0.

2.2 Complexity Assumption

The security of our proposed scheme is based on the Decisional Diffie–Hellman (DDH) assumption. The DDH assumption in \(\left(q, \mathbb{G}, \mathbb{G}_{T}\right)\) is consisted of following de nation: On input a tuple (g, g^a, g^b, T), the algorithm returns 1 if T=g^ab otherwise output 0. Adversary \(\mathcal{A}\)’ advantage in solving the DDH problem is presented in the following:

\(\mathrm{Adv}_{\mathcal{A}}^{\mathrm{DCDH}}=\left|\operatorname{Pr}\left[\mathcal{A}\left(g, g^{a}, g^{b}, g^{a b}=1\right)\right]-\operatorname{Pr}\left[\mathcal{A}\left(g, g^{a}, g^{b}, T=1\right)\right]\right|\)

T is an element randomly selected from \(\mathbb{G}_{T}\), where \(g \in \mathbb{G}\), \(b \in \mathbb{Z}_{q}^{*}\). The DDH problem is difficult in the bilinear mapping, if there not exist a probabilistic polynomial-time algorithm \(\mathcal{A}\) has a non-negligible advantage in solving DDH problem.

2.3 Scheme Definition

The voting PRE scheme of this paper contains the following algorithms ( Setup, KeyGen, Administrator List, ReKeyGen, Enc, ReEnc, Dec). For ease of description, some intuitive notations and abbreviations used in our proposed protocol are shown in Table 1.

Table 1. Description of notations

●Setup(1^k)→(par):k as the security parameter is input, and global public parameters are output and distributed to users.

●KeyGen(par)→SK: The public parameter par is input, and a pair of key (sk_i,n,pk_i,n) is returned.

●Administrator List(sk_i,n)→List:On inputting public parameter sk_i,n, this algorithm generates voting registrants list [x_i], candidate list [x_j] and verification list.

●ReKeyGen(par,sk_i,n,pk_j,l)→RK: Operated by user i, takes the secret key sk_i,n, public parameter par, and the public key pk_j,l as input, the re-encryption key RK is generated.

●Enc(par,pk_i,n,m)→σ: User’s public key pk_i,n, a message m and public parameters par is input, and a ciphertext σ under user’s public key pk_i,n is returned. The σ' can and only can be re-encrypted by RK.

●ReEnc(σ,RK)→σ': Operated by proxy, on inputting the ciphertext σ', conversion key RK, the encrypted ciphertext σ' is returned.

●Dec(σ',sk_j,l)→m : Operated by user j, on input the ciphertext σ', the plaintext m is returned. Finally, for any par, \(m \in \mathbb{G}_{T}\), \(s k_{i, n} \in \mathbb{Z}_{q}^{*}\), our proposal needs to meet following requirements:

\(\operatorname{Dec}\left(\operatorname{ReEnc}\left(\operatorname{Enc}\left(\text { par }, m, p k_{i, n}\right), \text { ReKeyGen }\left(\text { par }, s k_{i, n}, p k_{j, l}\right)\right), s k_{j, l}\right)=M\)

2.4 System Model

As shown in Fig. 2, there are several entities in the voting system, including an administrator, n voters(i=1,...,n),l candidates (j=1,...,l), a proxy, a converter. Next, we detail the responsibilities of each entity.

Fig. 2. Proxy re-encryption for voting system model

Voter: The voters first send a registration request to the administrator and then receive a key pair from the private key generator (PKG). In the voting process, the voters encrypted the vote by the public key of the administrator. Then voters encrypt the first-level ciphertext to generate ciphertext and then send ciphertext and re-encryption key to proxy. The conversion key is the crucial part of voting. The voter should generate re-encryption key by his/her own private key and the public key of the candidate who he supported. Thus, the re-encrypted ciphertext can only be decrypted by the candidate who is voted.

Proxy: After received voter’s conversion key and encryption ciphertext, the semi-trusted proxy then converts the vote and delivers the converted vote to the bulletin board. The user’s identity can be kept secret, because the proxy cannot obtain the information of the plaintext and the private key. Thus, the identity of voters and candidates keep secret and be hidden by re-encryption. In this way, the identity of voters can be converted securely. The candidates cannot identify the voter identity of final vote.

Candidates: When the vote process end, all the candidates decrypt the vote on the bulletin board by his private key. Then these candidates publish their secret key on the Bulletin board so that all users are able to verify the vote result.

Private Key Generator(PKG): As a trusted entity, PKG is responsible for generating private keys for users. In voting system, the PKG generates the key pair and the verify key for verifying voters’ identity.

Trusted Administrator: At the beginning of voting, the administrator generates voting registrants list for legitimate registered voters, candidate list and verification list. These registrant lists are kept secret to voters and candidates and stored in the administrator to verifying the identity of voters.

When the balloting process is ended, the administrator will witness that candidates decrypt the re-encrypted vote and record the count of votes for every candidate. After the candidates do the first-level decrypt for the vote, the administrator does the second-level decrypt for the vote by his secret key. There are some kinds of vote: positive vote ‘‘affirmative vote’’ or negative vote ‘‘dissenting vote’’, or “abstention vote”. The receipt-freeness and coercion resistance can be achieved by this way, as the candidates cannot verify if the corrupted voters have voted as promised.

Normally, candidates can only obtain the re-encrypted vote in bulletin board with no knowledge of original vote (encryption ciphertext) or the identity of voter (voter’s secret key). Even candidates obtain voter’s encryption ciphertext (original vote) by in collusion with proxy or voters, they cannot decrypt the vote encrypted by administrator’s secret key or verify the voter’s vote types.

If the voter did not encrypt the vote by the administrator’s secret key, the vote will be canceled in administrator verify phase. The administrator is an important entity and it is responsible for verifying voters’ identity, publishing the list of candidates, collecting valid ballots, and announcing the vote result.

2.5 Security Model

Some important terms are defined as follows.

Uncorrupted-keys. When a corresponding private key of a public key cannot be exposed to the adversary, this kind of public key is set as the uncorrupted public key. \(K_{u c}^{\text {list }}\) is defined as the list of honest users, and the list contains the key pair of each honest user.

Corrupted-keys. When a corresponding private key of a public key can be attacked or compromised by anyone adversary, this kind of public key is defined as the corrupt public key. \(K_{u c}^{\text {list }}\) is set as the list of corrupt public keys.

Definition. Our scheme is CCA secure PRE scheme if for all probabilistic polynomial time (PPT) adversaries \(\mathcal{A}\) wins the game with a negligible advantage. In the following game, \(\mathcal{A}\) plays the role of adversary and C plays the role of challenger.

Key generations. C creates the keys as below. C runs the to create key pair. Then, adds the key pair to \(K_{c}^{\text {list }}\) and \(K_{u c}^{\text {list }}\). obtains the public key from \(K_{c}^{\text {list }}\) and \(K_{u c}^{\text {list }}\) and secret key from \(K_{c}^{\text {list }}\).

Phase 1. Adversary \(\mathcal{A}\) sends queries to O_SK, O_RK, O_RE, O_DEC.

●Secret key generation oracle O_SK:pk_i=(pk_i,1,pk_i,2) is inputted, and C retrieves(pk_i,1,pk_i,2,sk_i,1,sk_i,2) for a corrupted public key in \(K_{c}^{\text {list }}\). For a uncorrupted user, C retrieves(pk_i,1,pk_i,2,sk_i,1,sk_i,2) in \(K_{u c}^{\text {list }}\), and outputs sk_i,1, sk_i,2 to the adversary; otherwise, C outputs ┴.

●Re-encryption key generation oracle ORK: If g^S=A^{H₃(A||B||C2||U2)}·C, this oracle continues; otherwise, this oracle returns ┴ and halts. On inputting (pk_i,pk_j), and pk_i and pk_j are both from O_RK. Oracle takes (pk_i,pk_j) as input and returns rk=(rk₁,rk₂,rk₃) to \(\mathcal{A}\).

●Re-encryption oracle ORE: On inputting (pk_i,pk_j,σ), C returns a re-encryption ciphertext ReEnc(σ,ORK(pk_i,pk_j)).

●Decryption oracle O_DEC: On input pk and C, this oracle finds the corresponding private key of pk. Then, this oracle decrypts C and returns the plaintext.

●Chllenge. When \(\mathcal{A}\) finishes the queries of Phase 1, a public \(p k_{i}^{*}\) key and two equal-length messages m₀,m₁∈{0,1} are sent to C. Algorithm \(\mathcal{A}\) recovers tuple (pk_i,sk_i,c) from K^list. C picks \(d \stackrel{R}{\in}\{0,1\}\) and sends the challenge ciphertext generated by the \(p k_{i}^{*}\) and m_d to \(\mathcal{A}\).

Phase 2. Adversary continues to issue queries as in Phase 1, under extra conditions.

Guess. Eventually, adversary \(\mathcal{A}\) outputs a guess d∈{0,1} to C.

3. An Efficient Proxy Re-Encryption Construction in Voting System

Here we describe our construction for the efficient proxy re-encryption scheme in voting system.

●Setup(1^k)→par: Select prime q, and k is the security parameter. is a generator of group G. \(H_{1}:\{0,1\}^{*} \rightarrow \mathbb{Z}_{q}^{*}\), and \(H_{2}: \mathbb{G} \rightarrow \mathbb{Z}_{q}^{*}\). The global public parameters are par :\((q, \mathbb{G},g,H_1,H_2)\).

●KeyGen(par)→SK: Takes public parameter as input. This algorithm generates sk_i,n=(sk_i,n,1,sk_i,n,2), pk_i,n=(pk_i,n,1=g^sk_i,n,1,pk_i,n,2=g^sk_i,n,2). Select \(z_{1}, z_{2} \stackrel{R}{\in} \mathbb{Z}_{q}^{*}\), set sk_i,n,1=z₁+sk_i,n,2·z₂ mod q. Administrator key pair (pk_Adm, sk_Adm) is also generated.

●Administrator List(ski,n)→List : This step is operated by administrator, and administrator sets \(S_{v}=\left(U_{1}, U_{2}, U_{3}\right)=\left(g^{H_{1}\left(x_{i} \| 0\right)}, g^{H_{1}\left(s k_{i, n} \| 1\right)}, g^{H_{1}\left(x_{i} \| 0\right)+H_{1}\left(s k_{i, n} \| 1\right)}\right)\), where \(x_{i} \stackrel{R}{\in} \mathbb{Z}_{q}^{*}\), \(x_{j} \stackrel{R}{\in} \mathbb{Z}_{q}^{*}\). The administrator holds U₁, U₃ and keeps them confidential to any other user. This algorithm generates \(S_{v}=\left(U_{1}, U_{2}, U_{3}\right)=\left(g^{H_{1}\left(x_{i}|| 0\right)}, g^{H_{1}\left(s k_{i, n} \| 1\right)}\right.,\left.g^{H_{1}\left(x_{i} \| 0\right)+H_{1}\left(s k_{i, n} \| 1\right)}\right)\).

●ReKeyGen(par,sk_i,n,pk_j,l)→RK_i→j: On input user i’ s secret key sk_i,n=(sk_i,n,1,sk_i,n,2) and user j’s public key pk_j,l=(pk_i,l,1,pk_j,l,2) where there have l campaigners, l∈{1,...,l}, the RK is created as follows:

1. Select \(v \stackrel{R}{\in} \mathbb{Z}_{q}^{*}\), compute \(Z=p k_{j, l, 2}^{v}\),

2. rk₁=z₁, rk₂=H₂(Z^sk_i,n,1)·z₂ mod q,

3. \(r k_{3}=p k_{i, n, 1}^{v}\)

4. Return RK_i→j=(rk₁,rk₂,rk₃).

●Enc(par,pk_i,n,U₂,m)→σ: Given user i’s secret key and public key, this protocol works as follows. The key pair is (pk_i,n,sk_i,n), n∈{1,2,...,n}.

1. Select \(r, r^{\prime} \stackrel{R}{\in} \mathbb{Z}_{q}^{*}\),

2. \(A=g^{r}, B=g^{r^{\prime}}, C_{1}=p k_{i, n, 2}^{r}, C_{2}=p k_{i, n, 1}^{r} \cdot m\),

3. \(U_{2}=g^{H_{1}\left(s k_{i, n} \| 1\right)}, S=H_{2}\left(A|| B|| C_{1}|| C_{2}|| U_{2}\right) \cdot r+r^{\prime} \bmod q\),

4. Output the ciphertext σ=(A,B,C₁,C₂,U₂,S).

●ReEnc(σ,RK_i→j,pk_Adm)→C_Adm : On input RK_i→j=(rk₁,rk₂,rk₃), an original ciphertext σ=(A,B,C₁,C₂,U₂,S), and administrator’s pk_Adm, this protocol operates as follow.

1. The proxy verifies the relation U₃=U₁·U₂ and sends U₂ to the administrator. If the administrator returns true, goes to the next steps; otherwise, outputs ┴ and halts.

2. If g^S=A^{H₂(A||B||C₁||C₂||U₂)}·B, the algorithm continues to perform the following operations, otherwise, output ┴ and halt.

3. Compute \(C_{1}^{\prime}=A^{r k 1}=g^{r z_{1}}\)， \( C_{2}^{\prime}=C_{1}=p k_{i, n, 2}^{r}\)， \(C_{3}^{\prime}=C_{2}=p k_{i, n, 1}^{r} \cdot m\)， \(C_{4}^{\prime}=r k_{2}=H_{2}\left(Z^{s k_{i, n, 1}}\right) \cdot z_{2} \bmod\)， \(C_{5}^{\prime}=r k_{3}=p k_{i, n, 1}^{v}\). The transformed ciphertext as follows: \(\sigma^{\prime}=\left(A, B, C_{1}^{\prime}, C_{2}^{\prime}, C_{3}^{\prime}, C_{4}^{\prime}, C_{5}^{\prime}, U_{2}, S\right)\).

4. En_crd(σ',pk_Adm)=C_Adm.

●Dec(C_Adm,sk_Adm,sk_j,l)→m: On input a ciphertext C_Adm administrator’s secret key sk_Adm, and secret key sk_j,l.

1. Decrypt the ciphertext C_Adm by the use of administrator’s secret key sk_Adm and obtain re-encrypted ciphertext \(\sigma^{\prime}=\left(A, B, C_{1}^{\prime}, C_{2}^{\prime}, C_{3}^{\prime}, C_{4}^{\prime}, C_{5}^{\prime}, U_{2}, S\right)\).

2. If g^S=A^{H₂(A||B||C₁||C₂||U₂)}·B and U₃=U₁·U₂ holds, i.e., the re-encrypted message and the key pair contained in the message have not been tampered with in transit. Then, proceed to the following step. Otherwise, this protocol halts.

3. Compute \(z_{2}=\frac{C_{4}^{\prime}}{H_{2}\left(C_{5}^{\prime s k_{j, l, 2}}\right)}=\frac{H_{2}\left(Z^{s k_{i, n, 1}}\right) \cdot z_{2} \bmod q}{H_{2}\left(p k_{i, n, 1}^{v\left(s k_{j, l, 2}\right)}\right)}, m=\frac{C_{3}^{\prime}}{C_{1}^{\prime} \cdot C_{2}^{\prime} z^{2}}=\frac{p k_{i, n, 1}^{r} \cdot m}{g^{r z_{1}} \cdot g^{r\left(s k_{i, n, 2}\right) z 2}}\)

Correctness:

\(\begin{aligned} z_{2} &=\frac{C_{4}^{\prime}}{H_{2}\left(C_{5}^{\prime s k_{j, l, 2}}\right)} \\ &=\frac{H_{2}\left(Z^{s k_{i, n, 1}}\right) \cdot z_{2} \bmod q}{H_{2}\left(p k_{i, n, 1}^{v\left(s k_{j, l, 2}\right)}\right)} \\ &=\frac{H_{2}\left(\left(p k_{j, l, 2}^{v}\right)^{s k_{i, n, 1}}\right) \cdot z_{2} \bmod q}{H_{2}\left(p k_{i, n, 1}^{v\left(s k_{j, l, 2}\right)}\right)} \\ m &=\frac{C_{3}^{\prime}}{C_{1}^{\prime} \cdot C_{2}^{\prime z_{2}}}=\frac{p k_{i, n, 1}^{r} \cdot m}{g^{r z_{1}} \cdot g^{r\left(s k_{i, n, 2}\right) z_{2}}} \end{aligned}\)

4. Security Proof

Theorem. Assuming the DDH assumption holds, the PRE scheme proposed in this paper achieves CCA2 security in the random oracle model.

Proof. If there exists an adversary \(\mathcal{A}\) can break the CCA2 security of our proposal with a non-negligible advantage, then the algorithm can be built to resolve DDH problem by the use of \(\mathcal{A}\). On DDH input \(\left\langle\mathbb{G}=\langle g\rangle, g^{a}, g^{b}, T\right\rangle\), C is constructed to decide if T=g^ab. The following random oracles is built by the challenger C.

O_H1: C checks whether (R,β) has occurred in the \(I I_{1}^{l i s t}\). If the (R,β) exists, C responds \(\mathcal{A}\) with β. Otherwise, select \(\beta \leftarrow \mathbb{Z}_{q}^{*}\), put tuple (R,β) into the list \(I I_{1}^{l i s t}\) and respond with H₁(R)=β.

O_H2: C checks whether tuple H₂(R₁,R₂,R₃,R₄,R₅,γ) has occurred in the \(I I_{2}^{l i s t}\). If the exists, and C responds \(\mathcal{A}\) with γ. Otherwise, select \(\gamma \in \mathbb{Z}_{q}^{*}\), put tuple H₂(R₁,R₂,R₃,R₄,R₅,γ) into the list \(I I_{2}^{l i s t}\) and respond with H₂(R₁||R₂||R₃||R₄||R5)=γ.

C maintains two initially empty lists, \(K_{u c}^{\text {list }}\) and R^list. These two lists store key pairs and reencryption keys, individually.

Phase 1. Adversary \(\mathcal{A}\) issues a series of queries which C answers \(\mathcal{A}\) as follows:

Public key generation oracle O_PK: C generates the uncorrupted-keys and corrupted-keys as follows.

1. The corrupted user inputs the public key, and this oracle sets pk_i=(pk_i,1, and record (pk_i,1,pk_i,2,sk_i,1,sk_i,2) into the list \(K_{c}^{\text {list }}\), where and \(s k_{i, 1}=z_{1}+s k_{i, 2} \cdot z_{2} \bmod q\), z₁,z₂,sk_i,1,sk_i,2 is randomly selected from \(\mathbb{Z}_{q}^{*}\).

2. The uncorrupted user inputs the public key, and this oracle sets pk_i=((g^a)^sk_i,1,(g^a)^sk_i,2) and record (pk_i,1,pk_i,2,sk_i,1,sk_i,2) into the list \(K_{u c}^{\text {list }}\), where sk_i,1 and sk_i,2 are random numbers from \(\mathbb{Z}_{q}^{*}\).

Secret key generation oracle O_SK: When a uncorrupted user inputs pk_i=(pk_i,1,pk_i,2), C checks (pk_i,1,pk_i,2,sk_i,1,sk_i,2) in the list \(K_{u c}^{\text {list }}\) and backs the corresponding sk_i,1,sk_i,2 to the \(\mathcal{A}\). C returns a random number in the same form as the private key as the corresponding private key of the corrupted public key.

Re-encryption key generation oracle O_RK: If g^S=A^{H₃(A||B||C₁||C₂||U₂)}·B, this oracle continues with the subsequent operations; otherwise, the oracle returns ┴ and halts. On inputting (pk_i,pk_j), where pki=(pk_i,1,pk_i,2), pk_j=(pk_j,1,pk_j,2). pk_i and pk_j are both from O_RK.

1. When the corrupted pk_i is input, C retrieves the corresponding tuple of pk_i from \(K_{c}^{\text {list }}\). Then, C generates sk_i by running the real execution operations in scheme.

2. When uncorrupted pk_i and pk_j is input, C retrieves the corresponding tuple of pk_i from \(K_{u c}^{\text {list }}\), obtains tuple (sk_i,1,sk_i,2) satisfy with sk_i,1=z₁+sk_i,2·z₂ mod q, and then run operations in ReKeyGen to obtain the re-encryption key. Finally, C backs the generated re-encryption key. If there exists no such tuple, return ┴.

3. If pk_i is uncorrupted, and pk_j is corrupted, output "failure" and aborts.

4. Return RK_i→j=(rk₁,rk₂,rk₃) to C.

Re-encryption oracle O_RE: on inputting (pk_i,pk_j,σ), C returns ReEnc(σ,O_RK(pk_i,pk_j)).

Decryption oracle O_DEC: On inputting (pk_i,σ'), C replies as follows.

1. When the corrupted pk_i is input, C retrieves the corresponding tuple of sk_i from \(K_{c}^{\text {list }}\). Then, C outputs decrypted results by running the real execution operations in the scheme.

2. When the uncorrupted pk_i and σ'=(A,B,C₁,C₂,U₂) are input, C continues as below.

a) Retrieve(A,B,C₁,C₂,U₂,γ) in the table H₂ and (R,β) in the H₁. As the tuple can be found and it satisfy and g^S=A^{H₂(A||B||C₁||C₂||U₂)}·C and U₁=U₂·g^H₁(R), C continues. If the tuple cannot be found, this oracle outputs ┴ and halts.

b) When corrupted user inputs pk_j and associated private key sk_j , C returns Dec(ReEnc(σ,O_RK(pk_i,pk_j))sk_j).

Challenge.When the above queries are finished, \(\mathcal{A}\) transmits \(p k_{i, n}^{\prime}\) and m₀,m₁∈{0,1} to C.

In addition, the two messages m₀,m₁ are the same length. Algorithm \(\mathcal{A}\) recovers tuple (pk_i,n,sk_i,n,c) from K^list. C picks d←{0,1} and the challenge ciphertext is created as below.

1. \(C_{1}^{\prime}=g^{r z_{1}}=g^{b z_{1}}\)

2. \(C_{2}^{\prime}=p k_{i, n, 2}^{r}=g^{a b \cdot s k_{i, n, 2}}=\left(p k_{i, n, 2}\right)^{b}\)

3. \(C_{3}^{\prime}=p k_{i, n, 1}^{r} \cdot m=g^{a b \cdot s k_{i, n, 2}} \cdot m=p k_{i, n, 1}^{b} \cdot m\)

4. \(C_{4}^{\prime}=H_{4}\left(\left(p k_{j, l, 2}^{v}\right)^{s k_{i, n, 1}}\right) \cdot z_{2} \bmod q=H_{4}\left(\left(\left(g^{a}\right)^{s k_{j, l, 2} v}\right)^{s k_{i, n, 1}}\right) \cdot z_{2} \bmod q\)

5. \(C_{5}^{\prime}=p k_{i, n, 1}^{v}=g^{a v}\)

Phase 2. Adversary repeats queries under the conditions as below.

1. \(O_{R K}\left(s k_{i}^{*}, p k_{j}\right)\) is only allowed if pk_j from \(K_{uc}^{\text {list }}\).

2. If \(\mathcal{A}\) issued ReEnc(σ,RK_i→j)→σ' where RK_i→j come from (par, sk_i, pk_j)→RK. If the pk_j come from \(K_{c}^{\text {list }}\), (sk_i, σ) cannot be a derivative of \(\left(s k_{i}^{*}, \sigma^{*}\right)\).

Guess. Eventually, adversary \(\mathcal{A}\) returns a guess d'∈{0,1} to C. Notice that, when T=g^ab, the \(\delta=\left(A^{*}, B^{*}, C_{1}^{\prime *}, C_{2}^{\prime *}, C_{3}^{\prime *}, C_{4}^{\prime *}, C_{5}^{\prime *}, U_{2}^{*}\right)\) equals \(\mathbf{R e E n c}\left(\sigma, R K_{i \rightarrow j}\right) \rightarrow \sigma^{\prime}\). The value T=g^ab is replaced by a random value \(T \in \mathbb{G}\). Therefore, the value in challenge ciphertext cannot be guessed by with a probability higher than 1/2.

5. Our Proposed E-Voting Scheme

In this part, we present our voting scheme. Firstly, we illustrate the design model of the scheme, briefly overview the scheme and discuss the security requirements and assumptions. Secondly, we describe the complete voting scheme in detail. And then a security proof of the requirements of the voting scheme and efficiency analysis are presented.

5.1 Model of the Scheme

5.1.1 Overview of the Proposed E-Voting Scheme

As shown in Fig. 3, our proposed voting system includes a front-end client interface for voters’ operations, an honest-but-curious proxy to re-encrypt voters’ ballots, a bulletin board to inform or publicity any voting-related information and a decryption program for candidates to decrypt ballots toward them. From Fig. 3, the flow of information is clear: (1) via different kind of end devices, voters prepare their ballot and cast to proxy; (2) proxy takes voters’ ballot as input and re-encrypt and publish the result to the bulletin board; (3) candidates can read from the public-accessed bulletin board and decrypt re-encrypted ballots toward them and publish with voters’ unforgeable anonymous signature and send their secret key used in this election to bulletin board for auditing; (4) a script used for tallying can run on bulletin board to give out the statistics about an election.

Fig. 3. Voting system model diagram

Through the flow of information in this voting system, our scheme is divided into six phases that respectively are system initialization, voter registration, ballot casting, proxy re-encryption, ballots opening and tallying, ballots verifying and auditing. Details about these six phases are discussed in section 5.2. The system communication diagram shown in Fig. 4 illuminates communication sequence in our system. From this perspective, participants in this scheme are divided into five entities and the scheme can be divided into 16 steps. Respectively, definition and model of the entities will be discussed in section 5.1.2 and how these 16 steps work and form the six phases will also be described in section 5.2.

Fig. 4. Voting system model diagram

5.1.2 Entities in the E-Voting Process

Our proposal contains several entities: the administrator, the voters, the proxy, and the candidates. In addition, the bulletin board also serves as an entity to display the voting results. Fig. 4 is the system communication diagram that illustrates the sequence of interactions between the entities in our scheme. The detailed corresponding definitions of the entities are shown as follows:

Administrator: He/she is responsible for initializing system parameters and organizing or controlling the voting process.

Voters: Voters is the main body of an election. They register into the voting system and then vote for candidates with their judgments. In the description of our scheme, we denote Alice as a voter.

Proxy: A proxy is an honest-but-curious authority that receives the encrypted ballots from incognito voters and publishes the re-encrypted ballots to the bulletin board. Honest-butcurious means that proxy will honestly follow the designed steps but try to delve into the relationship between the ballot and real-world identity of voters.

Bulletin board: It is a publicly accessible database that resists tampering attacks [33], which contains voting-related information, such as system parameters and re-encrypted votes. In some literature, it is also called the ballot box. To achieve the features above, a bulletin board can be implemented by a public block chain.

Candidates: Candidates play the role to be elected in the e-voting system. They compete to win the election and may try any approaches to get more ballots towards them on the bulletin board. In the description of our scheme, we denote Bob as a candidate.

5.1.3 Security Requirements and Assumptions

Here we enumerate the security requirements satisfied in our voting scheme. We divide the requirements into two classes: core requirements and additional requirements. Core requirements should be satisfied by all voting schemes and additional requirements are cherry picked to fit distinct voting environments.

Core requirements:

Completeness. When all participants follow the protocol, the count of valid votes is accurate. Privacy. This protocol will ensure the anonymity of ballots, that is, the ballots cast by voters will not reveal the identity of voters.

Unreusability. The ballot of the same legal voter will not be counted twice.

Eligibility. Only the ballot of legal voters will be counted as the final number of votes.

Verifiability. The final result can be verified by any skeptics.

Additional requirement:

Vote-and-go. A voter can go online once his ballot is cast.

Robustness. The result of the election is proper in the assumption of a certain amount of malicious voters or partial failure of the system.

Efficiency. The computational overhead and communication overhead are not too huge in the proposed scheme. This feature allows voters to use a tablet or mobile phone to complete the vote.

Receipt-freeness. A voter is not able to prove to someone that he has finished voting for a certain person in some way.

Coercion-resistance. A voter cannot be coerced into voting in a certain approach.

In our system, we use proxy re-encryption to further help voters to vote fairly according to their wishes. In the voting system, the realization of fair voting is usually to ensure that no one can calculate part of the result before the end of the election. However, in some cases, candidates can obtain information on how many people voted for themselves during the election process, and can implement the corresponding campaign strategies based on the acquired. Therefore, we propose a new voting scheme to satisfy this environment called candidate adaptability. Before the voting begins, no voters can break the agreement to get any results. In the voting process, each candidate can only know the number of votes he obtained during the election process, but he cannot know the exact number of votes of other competitors.

Candidate-adaptieness. In the voting process, each candidate can only obtain the number of votes he obtained during the election process, but he cannot know the exact number of votes of other competitors.

In our scheme, the proxy re-encrypt the vote, and then the re-encrypted ciphertext is random encrypted by the administrator. The random encrypted ciphertext is sent to the bulletin board as the vote. Finally, when publishing vote results, the random encrypted ciphertext is decrypted by the administrator and candidate jointly. In the above voting phase, only the administrator is aware of the relationship between the final ciphertext public in the bulletin board and the re encrypted ciphertext of the voter. Although the candidate can obtain the ciphertext published in the bulletin board, the voter cannot prove to candidates that they have voted for that candidate. In addition, it is possible that the voter has voted the negative vote to the candidate in the voting encryption phase. In other words, even if the candidate confirms that the voter has voted for him/her, the candidate cannot confirm whether the vote is positive or negative. the encrypted vote is a meaningless and irregular text, thus candidates cannot recognize the specific content of the vote. This is also a huge advantage brought by the application of encryption technology to the voting system.

5.2 The Voting System

System initialization phase in Fig. 4 The detailed processes of voting system are described as follows.

5.2.1 System Initialization and Voter Registration

Alice (1) sends send a registration request to the administrator and (2) then receives a key pair from the private key generator (PKG). (3) Meanwhile, the PKG sends this voter’s verification key to the administrator.

Protocol 1: Setup(1^k)->par

Protocol 2: KeyGen(par)->SK

5.2.2 Ballot Casting

After all legitimate users’ registration or the overpassed deadline of registration phase, system administrator broadcasts to all registered voters to enable voting. To trigger this phase, several approaches can be used by administrator including (1) sending e-mail to all registered voters, or (2) enabling the voting function in client interface of registered voters.

One voter, say Alice, prepares her ballot as follows: Alice (1) chooses one of vote types (positive vote or negative vote) as voting message, then (2) finds the corresponding public key pk_j,l of candidate on bulletin board and generates the conversion key ReKeyGen(par,sk_i,n,pk_j,l)->RK, (3) invokes re-encryption protocol to generate the ciphertext Enc(par,pk_i,n,m)->σ. The completed ballot contains the ciphertext σ and the re-encryption key RK. Ballot prepared, Alice casts it to proxy via an anonymous communication channel. In our proposed scheme, after his/her voting, the voter needs not to take any computation or interaction. That is to say that our scheme achieves the so-called feature of Vote-And-Go.

Protocol 3: Administrator List(sk_i,n)→List

Protocol 4: ReKeyGen(par,sk_i,n,pk_j,l)→RK_i→j

Protocol 5: Enc(par, pk_i,n,m)→σ

Protocol 6: ReEnc(σ,RK_Adm,RK_i→j)C_Adm

5.2.3 Ballot Re-encryption

On receiving voter’s message, supposing ballot from Alice, proxy calls re-encryption algorithm in our scheme as: (1) firstly it checks the identity verification, and if it is hold, (2) it inputs ciphertext σ' and conversion key RK and computes the re-encrypted ciphertext ReEnc(σ,RK)→σ', and (3) it sends the computation result σ' to the bulletin board with a timestamp time_i. If the check in step (1) of proxy in this phase fails, proxy will send the original message σ' from voter voter_t to bulletin board with an error message suggesting voter_t cast a valid ballot.

5.2.4 Ballots Opening and Tallying

Since the bulletin board is public accessed, candidates can keep an eye on re-encrypted ballots over it. Once a ballot is recorded on bulletin board, candidate Bob could try to decrypt the record with his private key sk_j,l and find out whether the ballot is voting to him, i.e. the plaintext of decrypted message is his encoded identity. In the decryption process, Bob (1) checks the identity verification, and (2) outputs the plaintext m by invoking the decryption algorithm Dec(σ',sk_j,l)→m. If Bob’s public key successfully decrypted it, Bob would know that he has received one vote, and if not, Bob would only know that one of his opponents has got this vote without explicit knowledge that who has.

If date of opening is due, system administrator will send the messages separated in different stages to the bulletin board and requests the candidate to publish their private key to the bulletin board. The private keys of candidates form a set on bulletin board as sk_j,l={sk_j,1,sk_j,2,...,sk_j,l}. After the above operations, the counting script on the bulletin board will be triggered to calculate the number of votes for each candidate.

This script can be implemented as smart contract over blockchain-based bulletin board.

Protocol 7: Dec(Cadm,skAdm,skj,l)→m

5.2.5 Ballots Verifying and Auditing

After counting all the votes, the elector and any skeptical voters can conduct additional audits. By verifying the candidate’s private key set posted on the bulletin board and the re-encrypted ballot, the elector and any skeptical voters can review the authenticity of the vote. If the decrypted message does not match any value in the candidate slate, it will be regarded as a dummy vote and will not count into ballot pool of any candidate.

6. Efficiency Comparison

Table 2, 3, and Table 4 show the comparison of our scheme between several other PRE schemes. The comparison items include properties and costs.

Table 2. A comparison of PRE schemes

Table 3. Computation cost comparison

Table 4. Communication complexity comparison

Some important properties related to proxy re-encryption schemes are compared and listed in Table 2, such as security and hard problem and collusion-resistance. In the table, the symbol ‘\(\sqrt{ }\)’ will be given in the corresponding item as the scheme has this property. The symbol ‘×’ will be given in the corresponding item as the scheme has not this property. In Table 2, "weak" indicates that the scheme cannot achieve complete resistance to collusion attacks. The proxy can obtain the underlying encrypted messages through collusion attacks.

In Table 3, the t_p signifies a pairing executing time, t_s and t_e1 signify a scalar multiplication and a exponentiation executing time in G₁, respectively; t_e denotes a exponentiation in G_t:Sig represents the operation of one-time signature, and Ver represents the operation of verification; k₁, k₂, k₃, k₄ and n represent a security parameter, the bit-length of {0,1}^k₁, {0,1}^k₂, {0,1}^k₃, {0,1}^k₄ and {0,...n}, respectively.

In Table 4, |G|, |G_l| and |Z_q| signify the length of an element in G, G_t and Z_q, respectively. Moreover, |k_s|, |σ_s|, |T|, |M|, |SymEnc| signify the length of one-time signing key, signature, timestamp, the length of message , the one-time symmetric encryption ciphertext; l signifies the size of keyword set in some keyword search schemes, respectively. According to the comparison results of the table, the detailed analysis is as follows:

(1) In Table 2, we have present the comparison with recently proposed research schemes from security properties. Schemes [14], [34-36] are some representative classic proxy reencryption schemes. In addition, to further analyze the advantage of our encryption schemes in the e-voting system, some applied in voting system encryption schemes [37- 39] are also compared. Meantime, the latest proxy re-encryption schemes [40-43] are also compared to further justify that the results of our proposed research are better. From the compared result in Table 2, it can be noticed that some PRE or e-voting schemes [14, 34, 37, 41] only achieve CPA or not provided the standard security proof. Our scheme achieves a higher security level (CCA security) based on the DDH hard problem.

(2) Compared computation cost with PRE schemes and e-voting schemes in Table 3, our scheme does not bear paring computation cost and our scheme does not have ‘‘Dec(first level)” due to the demand for the voting system. In our scheme, some hash operations are used in the protocol to protect the security of secret keys or verify the integrity of transformed data. In some schemes [36, 37, 40, 41, 42, 43], the data integrity is verified by the bilinear pairing operations. It is worth mentioning that the computational costs of the hash operation in our scheme which could be calculated much faster than bilinear pairing in other schemes.

(3) The result of communication complexity comparison can be find in Table 4. Compared with PRE schemes [14, 34, 35, 36, 37, 40, 41, 42, 43], our scheme a trivial amount of overhead in communication cost. For the communication cost of re-encryption key, our scheme only cost one length of an element in and two length of an element in . Our proxy re-encryption scheme uses dual public keys and dual private keys as the real identity and voting system identity, respectively. The true identity information of voters is hidden and the voter is able to vote anonymously. This cost is considerably lower than latest PRE schemes [37, 40, 41, 42, 43] and marginally higher than the some of classic PRE schemes for the better security and data integrity. For the communication cost of or original lengthen and transformed lengthen, our scheme does not bear paring communication cost in ciphertext and the slight high cost in the element in is to verify the data integrity. Compared with other encryption schemes used in e-voting system [37-39], our scheme is light-weight to achieve re-encryption function and thus, our scheme can be applied in both mobile devices and desktops. Therefore, our scheme is more suitable for the voting system application requiring low overhead and re-encrypt function. In conclusion, our scheme gnerates a trivial amount of overhead in communication cost.

(4) Statistical analysis: Through the method of statistical analysis, we further compare the schemes in Table 3. The total “Enc” algorithms overhead of the schemes compared in Table 3 is 295.376 ms, and the total “ReEnc” algorithms cost 334.3048 ms. The total cost of “Dec” algorithms of compared schemes in Table 3 cost 475.319 ms. The average cost of “ Enc” algorithms for all schemes is 21.098 ms, and the average cost of “ ReEnc” algorithms for all schemes is 27.858 ms. The average cost of “Dec” algorithms for all schemes is 33.95142 ms. It can be clearly seen that the cost of our scheme in the encryption algorithm, re-encryption algorithm, and decryption algorithm is much lower than the average cost of the compared schemes.

(5) We simulated a real environment using a desktop computer equipped with an Intel Core i7-7700 processor at 3.60 GHz, 8 GB of memory, and Windows 10. We implemented our code in Microsoft Visual C++ 6.0 with the PBC library. To offer appropriate security, we used a PBC Type A pairing, which is constructed on the elliptic curve y² ≡ x³+x mod p for some prime p ≡ 3 mod 4 along with an embedding degree of 2. The detailed experimental results of our scheme and other schemes are shown in Fig. 5, Fig. 6, and Fig. 7.

Fig. 5. Computation cost comparison of Enc

Fig. 6. Computation cost comparison of ReEnc

Fig. 7. Computation cost comparison of Dec

(6) Fig. 5 shows the computation time needed to operate the Enc algorithm in our scheme and the compared PRE schemes and e-voting schemes. It is seen that, in our scheme, the required time to produce the original ciphertext is slightly less than [14, 34, 36] and far less than the schemes [37, 38, 39, 40] . Fig. 6 shows the time is taken to execute the ReEnc algorithm in our scheme and compared PRE schemes. It is seen that our scheme requires less time than other schemes. Fig. 7 shows the time is taken to decrypt ciphertext in our scheme and PRE schemes and e-voting schemes. It is seen that in our scheme, to decrypt the ciphertext, it requires less time than decrypt the ciphertext in both other PRE schemes and e-voting schemes.

7. Conclusion

In this paper, we proposed a simple and efficient proxy re-encryption scheme and related proxy re-encryption protocol in e-voting schemes. The data security and user privacy of the voting system is ensured by this protocol. In our scheme, the protection of voter privacy is achieved by a re-encrypted ballot provided by a proxy and a randomization encryption service provided by the administrator. This method can be used in most e-voting schemes to provide receiptfreeness in a very efficient manner. The scheme is resistant to both CCA and collusion. Then, a detailed voting system architecture is provided in the paper. In the long-term research, we found that there are still meaningful points we continue to try in the future work.

●In the voting process, voters often want to vote in more convenient ways, such as mobile phones, laptops, and tablets. In the process of voting statistics and announcements, a central computer with supercomputing power is often required to count and Analyze voting. These different devices often generate different forms of ciphertext. In order to better adapt to different encryption devices, we will propose a heterogeneous proxy re-encryption scheme adapted to the voting system to help users complete voting securely and conveniently.

● Most of the proposed proxy re-encryption schemes are based on the number theoretic problem and cannot resist quantum attacks. As a new type of encryption technology, lattice based encryption can resist quantum attacks and strengthen the security of the voting system. In the future, we will design and propose a lattice-based proxy re-encryption voting protocol to help the voting system resist quantum attacks.

Discussion: Vote buying and coercion issues are regarded as an important security requirement. These problems can be avoided to a great extent through the joint implementation of physical infrastructure, network protocol, and encryption technology. However, voting is based on social behavior. Thus, the above technical means can enhance data security and privacy, and prevent the voter provide a receipt, but cannot completely avoid human factors. If the voters cannot provide a receipt, these issues would be limited to social problems and are out of the scope of our discussion.